[i.MX8M Plus] Is secure-jtag, a trace32 demo script, executed normally?

dhj · ‎06-27-2023

To use Secure jtag, I referred to document AN4686 (Secure Debug in i.MX 6/7/8M Family of Applications Processors).

# Environment

The working environment uses imx8mp SoC, and Trace32 uses the 2023/02 version.

# eFusing

and, The efusing proceeded as follows.

- SJC_RESP (*imx8mp has 128 bits unlike other SoCs)

fuse prog 8 0 0x55aa1234
fuse prog 8 1 0x00aa5533
fuse prog 15 1 0x55aa1234
fuse prog 15 2 0x00aa5533

- Burn SJC_RESP_LOCK (<- Is it a must-have when testing?)
fuse prog 0 0 0x400

- Burn JTAG_SMOD
fuse prog 1 3 0x400000

# trace32 - script

- The test was conducted with imx8m script and im6 script.

1. imx8m script (T32\demo\arm\hardware\imx8\imx8m\secure-jtag\attachimx8m.cmm)

: Regardless of whether the response value is modified or not, the message "Keyword is too long" occurs and the script does not run normally.

2. imx6 script (T32\demo\arm\hardware\imx6\secure-jtag\attachimx.cmm)

: It doesn't give me the same error as the imx8m script, but it doesn't seem to work.

: Values such as Challenge and SJC ID do not seem to be read normally.

: A "read/write test failed" message appears.

2-1. The response value was modified to match the efusing value. (64bit)

ENTRY &challenge
&response=0x00aa553355aa1234
ENDDO &response

: But I'm still having problems. So I tried inputting the entire 128bit instead of 64bit.

2-2. The response value was modified to match the efusing value. (128bit)

ENTRY &challenge
&response=0x00aa553355aa123400aa553355aa1234
ENDDO &response

: However, an error occurred because the size of the response variable could not accept 128 bits.

Can you tell me what's wrong?

joanxie · ‎06-27-2023

pls refer to the document as below：

“https://community.nxp.com/t5/Blogs/Debug-i-MX8MP-uboot-with-TRACE32/ba-p/1615599”

dhj · ‎06-27-2023

I am also able to debug via trace32 under normal conditions.

What I inquired about is how to enable and use Secure Jtag.

Secure Debug in i.MX 6/7/8M Family of Applications Processors

joanxie · ‎06-28-2023

I checked again, it seems the cmm you use is for imx8mq, not for imx8mp, so this cmm file only supports 64bits, do you have NDA with NXP? if yes, pls share with me, let me try to get imx8mp cmm for you

joanxie · ‎06-28-2023

could you share your cmm file with me?

dhj · ‎06-28-2023

I tested with 2 cases (imx6, imx8m).

Each script was based on the demo script supported by T32, and the encrypted *.cmmx file was not touched.

1. Base: T32\demo\arm\hardware\imx6\secure-jtag

1-1. attachimx.cmm

RESET
AREA
SYStem.CPU iMX8MQ
CORE.ASSIGN 1
SYStem.Option ResBreak OFF
SYStem.Option WaitReset 1.3s
Trace.METHOD Onchip

; deprecated SYStem.MultiCore.tristate OFF
SYStem.CONFIG.TriState OFF

DO ~~~~/imx6_attach_secured.cmmx ENRESET=OFF
SYStem.JtagClock 10MHz

SYStem.Mode Attach

IF STATE.RUN()
Break

ENDDO

1-2. calculateresponse.cmm

ENTRY &challenge
&response=0x00aa553355aa1234 ;
ENDDO &response

2. Base: T32\demo\arm\hardware\imx8\imx8m\secure-jtag

2-1. attachimx8m.cmm

RESet
SYStem.RESet
SYStem.CPU IMX8MQ
SYStem.JtagClock CTCK 10MHz
SYStem.Option ResBreak OFF
SYStem.Option WaitIDCODE 1.5s
CORE.ASSIGN 1.
Trace.DISable
SYStem.Mode Prepare

DO ~~~~/imx8m_attach_secured.cmmx

;CORE.ASSIGN 1.

SYStem.Mode Attach

IF RUN()
  Break
  
ENDDO

2-2. calculate_response.cmm

PRIVATE &nChallenge &nResponse
PARAMETERS &nChallenge

&nResponse=0xaa553355aa1234 ;
;&nResponse=0x55aa1234aa5533 ;

ENDDO "&nResponse"

joanxie · ‎06-29-2023

did you see my last response? your cmm file isn't for imx8mp, if you have NDA, pls share it, let me check if I can share the imx8mp cmm file with you

dhj · ‎07-02-2023

As you said, I checked the NDA.
I requested it separately via DM, so please check it please!

joanxie · ‎07-13-2023

I have mailed to you the script, pls check it and test again

dhj · ‎07-16-2023

Thank you for sending the script!

However, when executing the provided script, unfortunately, it is not possible to perform the attach for debugging successfully.

I was able to confirm that reading the Challenge value is functioning correctly. (However, I'm not sure where to read the SJC ID and what it signifies.)

As for the response value, I have modified the script based on the values I wrote. (Just to mention again, the imx8mp soc has a total of 128 bits in the response value.)

Other than the response value, no separate modifications were made, and when running the script, I confirmed that it is still not possible to perform the attach as before.

Am I missing Somthing?

joanxie · ‎07-12-2023

the owner is still working on this, any update, I will mail to you ASAP

joanxie · ‎07-05-2023

I was told that the owner is on vacation, she will come back to office on 7/10, so she will handle this script issue after 7/10, pls wait with patience

joanxie · ‎07-05-2023

I have already submit this to internal team, they will check the NDA and give me the response, any update, I will let you know it ASAP

[i.MX8M Plus] Is secure-jtag, a trace32 demo script, executed normally?

[i.MX8M Plus] Is secure-jtag, a trace32 demo script, executed normally?

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano

Security